Tuesday, February 16, 2021

3 Advisories and 1 Update Published – 2-16-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell and Open Design Alliance, as well as a medical device security advisory for products from Hamilton Medical. They also updated an advisory from M&M Software (WAGO).

Rockwell Advisory

This advisory describes an improper handling of length parameter inconsistency vulnerability in the Allen-Bradley MicroLogix 1100 Programmable Logic Controller. The vulnerability was reported by Talos. Rockwell advises upgrading to the Micrologic 1400, firmware v21.006 or higher.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in denial-of-service conditions.

NOTE: I briefly discussed this vulnerability on Saturday.

Open Design Alliance Advisory

This advisory describes six vulnerabilities in the Open Design Alliance Drawings SDK software development kit. The vulnerabilities were reported by Michael DePlante and rgod via the Zero Day Initiative. ODA has a newer version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2021-25178,

• Type confusion - CVE-2021-25177,

• Untrusted pointer dereference - CVE-2021-25176,

• Incorrect type conversion or cast - CVE-2021-25175, and

• Memory allocation with excessive size value (2) - CVE-2021-25174 and CVE-2021-25173

NCCIC-ICS reported that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow code execution in the context of the current process or cause a denial-of-service condition.

NOTE: These vulnerabilities were reported last week in NCCIC’s Siemens JT2Go and Teamcenter Visualization (ICSA-21-040-06) advisory and the Siemens advisory (SSA-663999) upon which it was based. Both advisories provided links to the ODA advisory. It will be interesting to see what other vendors use this ODA tool.

Hamilton Advisory

This advisory describes three vulnerabilities in the Hamilton-T1 Ventilator. The vulnerabilities were reported by Julian Suleder, Raphael Pavlidis, Nils Emmerich and Dr. Oliver Matula of ERNW Research. Hamilton recommends updating to newer versions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2020-27278,

• Missing XML validation - CVE-2020-27282, and

• Exposure of sensitive information - CVE-2020-27290

NCCIC-ICS reports that a relatively low-skilled attacker with physical access to the device could exploit the vulnerability to obtain sensitive information or crash the device being accessed.

NOTE: For those that are interested, here is the German BSI’s report on a whole slew of these vulnerabilities that were reported by ERNW Research for this BSI project. Not a lot of detail, but there are a lot of vulnerable devices.

WAGO Update

This update provides additional information on an advisory that was originally published on January 21st, 2021 and most recently updated on February 4th, 2021. The new information includes adding the Mitsubishi Electric MELSOFT FieldDeviceConfigurator as an affected product with a link to the Mitsubishi advisory.

No comments:

 
/* Use this with templates/template-twocol.html */